contrast-agent 4.7.0 → 4.10.0

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/protect/rule/sql_sample_builder'
 
 module Contrast
   module Agent
@@ -9,6 +10,12 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect NoSQL Injection rule.
         class NoSqli < Contrast::Agent::Protect::Rule::BaseService
+          # Generate a sample for the No-SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          include SqlSampleBuilder::NoSqliSample
+          # Defining build_attack_with_match method
+          include SqlSampleBuilder::AttackBuilder
+
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
 
@@ -31,40 +38,6 @@ module Contrast
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
 
-          def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
-                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
-
-              return result
-            end
-
-            attack_string = input_analysis_result.value
-            regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-            return unless query_string.match?(regexp)
-
-            scanner = select_scanner
-            ss = StringScanner.new(query_string)
-            length = attack_string.length
-            while ss.scan_until(regexp)
-              # the pos of StringScanner is at the end of the regexp (input string),
-              # we need the beginning
-              idx = ss.pos - attack_string.length
-              last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
-              next unless last_boundary && boundary
-
-              kwargs[:start_idx] = idx
-              kwargs[:end_idx] = idx + length
-              kwargs[:boundary_overrun_idx] = boundary
-              kwargs[:input_boundary_idx] = last_boundary
-
-              result ||= build_attack_result(context)
-              update_successful_attack_response(context, input_analysis_result, result, query_string)
-              append_sample(context, input_analysis_result, result, query_string, **kwargs)
-            end
-
-            result
-          end
-
           protected
 
           def find_attacker context, potential_attack_string, **kwargs
@@ -79,25 +52,6 @@ module Contrast
             end
             super(context, potential_attack_string, **kwargs)
           end
-
-          def build_sample context, input_analysis_result, candidate_string, **kwargs
-            input = input_analysis_result.value
-
-            sample = build_base_sample(context, input_analysis_result)
-            sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
-            sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-            sample.no_sqli.start_idx = sample.no_sqli.query.index(input).to_i
-            sample.no_sqli.boundary_overrun_idx = sample.no_sqli.start_idx + input.length
-            sample.no_sqli.input_boundary_idx = kwargs[:boundary].to_i
-            sample.no_sqli.input_boundary_idx = kwargs[:last_boundary].to_i
-            sample
-          end
-
-          private
-
-          def select_scanner
-            @_select_scanner ||= Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
-          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base_service'
-require 'contrast/components/interface'
 require 'contrast/utils/stack_trace_utils'
 
 module Contrast
@@ -12,9 +11,6 @@ module Contrast
         # This class handles our implementation of the Path Traversal
         # Protect rule.
         class PathTraversal < Contrast::Agent::Protect::Rule::BaseService
-          include Contrast::Components::Interface
-          access_component :agent, :analysis
-
           NAME = 'path-traversal'
           SYSTEM_PATHS = %w[
             /proc/self
@@ -96,7 +92,7 @@ module Contrast
           end
 
           def custom_code_access_sysfile_enabled?
-            PROTECT.report_custom_code_sysfile_access?
+            ::Contrast::PROTECT.report_custom_code_sysfile_access?
           end
 
           def custom_code_accessing_system_file? input

data/lib/contrast/agent/protect/rule/sql_sample_builder.rb

@@ -0,0 +1,137 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/base'
+require 'contrast/agent/protect/rule/base_service'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        module SqlSampleBuilder
+          # Generate a sample for the SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          #
+          # @param context [Contrast::Agent::RequestContext] the context for the current request
+          # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+          #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+          # @candidate_string [String] the value of the input which may be an attack
+          # @kwargs [Hash] key - value pairs of context individual rules need to build out details
+          #   to send to the Service to tell the story of the attack
+          # @return [Contrast::Api::Dtm::RaspRuleSample] the sample from this attack
+          module SqliSample
+            def build_sample context, input_analysis_result, candidate_string, **kwargs
+              sqli_sample = build_base_sample(context, input_analysis_result)
+              sqli_sample.sqli = Contrast::Api::Dtm::SqlInjectionDetails.new
+              sqli_sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              sqli_sample.sqli.start_idx = kwargs[:start_idx]
+              sqli_sample.sqli.end_idx = kwargs[:end_idx]
+              sqli_sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              sqli_sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              sqli_sample
+            end
+          end
+
+          # Generate a sample for the No-SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          #
+          # @param context [Contrast::Agent::RequestContext] the context for the current request
+          # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+          #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+          # @candidate_string [String] the value of the input which may be an attack
+          # @kwargs [Hash] key - value pairs of context individual rules need to build out details
+          #   to send to the Service to tell the story of the attack
+          # @return [Contrast::Api::Dtm::RaspRuleSample] the sample from this attack
+          module NoSqliSample
+            def build_sample context, input_analysis_result, candidate_string, **kwargs
+              no_sqli_sample = build_base_sample(context, input_analysis_result)
+              no_sqli_sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
+              no_sqli_sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              no_sqli_sample.no_sqli.start_idx = kwargs[:start_idx].to_i
+              no_sqli_sample.no_sqli.end_idx = kwargs[:end_idx].to_i
+              no_sqli_sample.no_sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              no_sqli_sample.no_sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              no_sqli_sample
+            end
+          end
+
+          # This Module is how we apply the attack fo NoSQL and SQL Injection rule.
+          # It includes methods for building attack with match and database scanners
+          module AttackBuilder
+            # Set up an attack result and assigns Database scanner for the No-SQL and SQLI injection detection rules
+            #
+            # @param context [Contrast::Agent::RequestContext] the context for the current request
+            # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+            #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+            # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
+            #   in the case of multiple inputs being found to violate the protection criteria
+            # @query_string [string] he value of the input which may be an attack
+            # @kwargs [Hash] key - value pairs of context individual rules need to build out details to send
+            #   to the Service to tell the story of the attack
+            # @return [Contrast::Api::Dtm::AttackResult] the result from this attack
+            def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
+              if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                    mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+                return result
+              end
+
+              attack_string = input_analysis_result.value
+              regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
+
+              return unless query_string.match?(regexp)
+
+              database = kwargs[:database]
+              scanner = select_scanner(database)
+              ss = StringScanner.new(query_string)
+              length = attack_string.length
+              while ss.scan_until(regexp)
+                # the pos of StringScanner is at the end of the regexp (input string),
+                # we need the beginning
+                idx = ss.pos - attack_string.length
+                last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
+                next unless last_boundary && boundary
+
+                result ||= build_attack_result(context)
+
+                record_match(idx, length, boundary, last_boundary, kwargs)
+                append_match(context, input_analysis_result, result, query_string, **kwargs)
+              end
+
+              result
+            end
+
+            def select_scanner database
+              @scanners ||= {
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>
+                  Contrast::Agent::Protect::Rule::Sqli::MysqlSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_PG =>
+                  Contrast::Agent::Protect::Rule::Sqli::PostgresSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_SQLITE =>
+                  Contrast::Agent::Protect::Rule::Sqli::SqliteSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesNoSqliRule::DATABASE_NOSQL =>
+                  Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
+              }.cs__freeze
+
+              @default_scanner ||= Contrast::Agent::Protect::Rule::Sqli::DefaultSqlScanner.new
+              @scanners[database.to_s] || @default_scanner
+            end
+
+            def record_match idx, length, boundary, last_boundary, kwargs
+              kwargs[:start_idx] = idx
+              kwargs[:end_idx] = idx + length
+              kwargs[:boundary_overrun_idx] = boundary
+              kwargs[:input_boundary_idx] = last_boundary
+            end
+
+            def append_match context, input_analysis_result, result, query_string, **kwargs
+              input_analysis_result.attack_count = input_analysis_result.attack_count + 1
+              update_successful_attack_response(context, input_analysis_result, result, query_string)
+              append_sample(context, input_analysis_result, result, query_string, **kwargs)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/protect/policy/applies_sqli_rule'
+require 'contrast/agent/protect/rule/sql_sample_builder'
 
 module Contrast
   module Agent
@@ -10,6 +11,12 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect SQL Injection rule.
         class Sqli < Contrast::Agent::Protect::Rule::BaseService
+          # Generate a sample for the SQLI injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          include SqlSampleBuilder::SqliSample
+          # Defining build_attack_with_match method
+          include SqlSampleBuilder::AttackBuilder
+
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
 
@@ -31,76 +38,6 @@ module Contrast
 
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
-
-          def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            attack_string = input_analysis_result.value
-            regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-
-            return unless query_string.match?(regexp)
-
-            database = kwargs[:database]
-            scanner = select_scanner(database)
-
-            ss = StringScanner.new(query_string)
-            length = attack_string.length
-            while ss.scan_until(regexp)
-              # the pos of StringScanner is at the end of the regexp (input string),
-              # we need the beginning
-              idx = ss.pos - attack_string.length
-              last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
-              next unless last_boundary && boundary
-
-              result ||= build_attack_result(context)
-              record_match(idx, length, boundary, last_boundary, kwargs)
-              append_match(context, input_analysis_result, result, query_string, **kwargs)
-            end
-
-            result
-          end
-
-          protected
-
-          def build_sample context, input_analysis_result, candidate_string, **kwargs
-            input = input_analysis_result.value
-
-            sample = build_base_sample(context, input_analysis_result)
-            sample.sqli = Contrast::Api::Dtm::SqlInjectionDetails.new
-            sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-            sample.sqli.start_idx = sample.sqli.query.index(input).to_i
-            sample.sqli.end_idx = sample.sqli.start_idx + input.length
-            sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
-            sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
-            sample
-          end
-
-          private
-
-          def record_match idx, length, boundary, last_boundary, kwargs
-            kwargs[:start_idx] = idx
-            kwargs[:end_idx] = idx + length
-            kwargs[:boundary_overrun_idx] = boundary
-            kwargs[:input_boundary_idx] = last_boundary
-          end
-
-          def append_match context, input_analysis_result, result, query_string, **kwargs
-            input_analysis_result.attack_count = input_analysis_result.attack_count + 1
-            update_successful_attack_response(context, input_analysis_result, result, query_string)
-            append_sample(context, input_analysis_result, result, query_string, **kwargs)
-          end
-
-          def select_scanner database
-            @sql_scanners ||= {
-                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>
-                    Contrast::Agent::Protect::Rule::Sqli::MysqlSqlScanner.new,
-                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_PG =>
-                    Contrast::Agent::Protect::Rule::Sqli::PostgresSqlScanner.new,
-                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_SQLITE =>
-                    Contrast::Agent::Protect::Rule::Sqli::SqliteSqlScanner.new
-            }.cs__freeze
-
-            @default_sql_scanner ||= Contrast::Agent::Protect::Rule::Sqli::DefaultSqlScanner.new
-            @sql_scanners[database.to_s] || @default_sql_scanner
-          end
         end
       end
     end

data/lib/contrast/agent/reaction_processor.rb

@@ -2,16 +2,15 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/disable_reaction'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
     # Because communication between the Agent/Service and TeamServer can only be initiated by outbound connections
     # from the Agent/Service, we must provide a mechanism for the TeamServer to direct the Agent to take a specific
     # action. This action is referred to as a Reaction. This class is how we handle those Reaction messages.
-    class ReactionProcessor
-      include Contrast::Components::Interface
-      access_component :logging
+    module ReactionProcessor
+      extend Contrast::Components::Logger::InstanceMethods
 
       # Process the given Reactions from the application settings based on what
       # TeamServer has indicated. Each Reaction will result in a log message

data/lib/contrast/agent/request.rb

@@ -7,7 +7,8 @@ require 'timeout'
 require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/hash_digest'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
@@ -16,8 +17,8 @@ module Contrast
     # data in a format that the Agent expects, caching those transformations in
     # order to avoid repeatedly creating Strings & thrashing GC.
     class Request
-      include Contrast::Components::Interface
-      access_component :agent, :logging, :scope
+      include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Components::Scope::InstanceMethods
 
       extend Forwardable
 
@@ -182,8 +183,11 @@ module Contrast
           res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
           res
         when Enumerable
-          res = val.each_with_index.each_with_object({}) do |(v, i), hash|
-            hash.merge! normalize_params(v, prefix: "#{ prefix }[#{ i }]")
+          idx = 0
+          res = {}
+          while idx < val.size
+            res.merge! normalize_params(val[idx], prefix: "#{ prefix }[#{ idx }]")
+            idx += 1
           end
           res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
           res

data/lib/contrast/agent/request_context.rb

@@ -4,15 +4,14 @@
 require 'contrast/utils/timer'
 require 'contrast/agent/request'
 require 'contrast/agent/response'
-require 'contrast/utils/inventory_util'
-require 'contrast/components/interface'
-require 'contrast/delegators/input_analysis'
+require 'contrast/agent/inventory/database_config'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
-    # This class acts to encapsulate information about the currently executed
-    # request, making it available to the Agent for the duration of the request
-    # in a standardized and normalized format which the Agent understands.
+    # This class acts to encapsulate information about the currently executed request, making it available to the Agent
+    # for the duration of the request in a standardized and normalized format which the Agent understands.
     #
     # @attr_reader timer [Contrast::Utils::Timer] when the context was created
     # @attr_reader logging_hash [Hash] context used to log the request
@@ -26,8 +25,8 @@ module Contrast
     # @attr_reader route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
     # @attr_reader observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage, of this request
     class RequestContext
-      include Contrast::Components::Interface
-      access_component :agent, :analysis, :logging, :scope
+      include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Components::Scope::InstanceMethods
 
       EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
 
@@ -63,11 +62,11 @@ module Contrast
 
           @sample = true
 
-          if ASSESS.enabled?
+          if ::Contrast::ASSESS.enabled?
             @sample_request, @sample_response = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
           end
 
-          @sample_response &&= ASSESS.scan_response?
+          @sample_response &&= ::Contrast::ASSESS.scan_response?
 
           append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
         end
@@ -85,9 +84,11 @@ module Contrast
         @sample_response
       end
 
-      # Convert the discovered route for this request to appropriate forms and
-      # disseminate it to those locations where it is necessary for our route
-      # coverage and finding vulnerability discovery features to function.
+      # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
+      # where it is necessary for our route coverage and finding vulnerability discovery features to function.
+      #
+      # @param route [Contrast::Api::Dtm::RouteCoverage, nil] the route of the current request, as determined from the
+      #   framework
       def append_route_coverage route
         return unless route
 
@@ -108,8 +109,8 @@ module Contrast
       # Collect the results for the given rule with the given action
       #
       # @param rule [String] the id of the rule to which the results apply
-      # @param response_type [Symbol] the result of the response, matching a
-      #   value of Contrast::Api::Dtm::AttackResult::ResponseType
+      # @param response_type [Symbol] the result of the response, matching a value of
+      #   Contrast::Api::Dtm::AttackResult::ResponseType
       # @return [Array<Contrast::Api::Dtm::AttackResult>]
       def results_for rule, response_type = nil
         if response_type.nil?
@@ -120,8 +121,8 @@ module Contrast
       end
 
       def service_extract_request
-        return false unless AGENT.enabled?
-        return false unless PROTECT.enabled?
+        return false unless ::Contrast::AGENT.enabled?
+        return false unless ::Contrast::PROTECT.enabled?
         return false if @do_not_track
 
         service_response = Contrast::Agent.messaging_queue.send_event_immediately(@activity.http_request)
@@ -145,10 +146,9 @@ module Contrast
         false
       end
 
-      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations
-      # when the protect state indicates a security exception should be thrown. This method
-      # ensures that the attack reports are generated. Normally these should be generated on
-      # Speedracer for any attacks detected during prefilter.
+      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
+      # indicates a security exception should be thrown. This method ensures that the attack reports are generated.
+      # Normally these should be generated on Speedracer for any attacks detected during prefilter.
       #
       # @param agent_settings [Contrast::Api::Settings::AgentSettings]
       def handle_protect_state agent_settings
@@ -165,9 +165,8 @@ module Contrast
         raise Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior'))
       end
 
-      # append anything we've learned to the request seen message
-      # this is the sum-total of all inventory information that has
-      # been accumulated since the last request
+      # append anything we've learned to the request seen message this is the sum-total of all inventory information
+      # that has been accumulated since the last request
       def extract_after rack_response
         @response = Contrast::Agent::Response.new(rack_response)
         activity.http_response = @response.dtm if @sample_response
@@ -185,14 +184,13 @@ module Contrast
 
       def reset_activity
         @activity = Contrast::Api::Dtm::Activity.new(http_request: request.dtm)
-        @server_activity = Contrast::Api::Dtm::ServerActivity.new # it doesn't look like this is ever actually used?
+        @server_activity = Contrast::Api::Dtm::ServerActivity.new
         @observed_route = Contrast::Api::Dtm::ObservedRoute.new
       end
 
       private
 
-      # Generate attack results directly from any evaluations on the
-      # agent settings object.
+      # Generate attack results directly from any evaluations on the agent settings object.
       #
       # @param agent_settings [Contrast::Api::Settings::AgentSettings]
       def build_attack_results agent_settings
@@ -201,15 +199,14 @@ module Contrast
         attack_results_by_rule = {}
         agent_settings.input_analysis.results.each do |ia_result|
           rule_id = ia_result.rule_id
-          rule = PROTECT.rule(rule_id)
+          rule = ::Contrast::PROTECT.rule(rule_id)
           next unless rule
 
           logger.debug('Building attack result from Contrast Service input analysis result', result: ia_result.inspect)
 
           attack_result = if rule.mode == :BLOCK
-                            # special case for rules (like reflected xss)
-                            # that used to have an infilter / block
-                            # mode but now are just block at perimeter
+                            # special case for rules (like reflected xss) that used to have an infilter / block mode
+                            # but now are just block at perimeter
                             rule.build_attack_with_match(self, ia_result, attack_results_by_rule[rule_id],
                                                          ia_result.value)
                           else